Short Answer

The Agent collects technical security telemetry needed for a WordPress Security Audit. It is not designed to collect full customer content, full database dumps, payment card data, private communications, or WordPress user passwords as part of normal scanning.

What the Agent May Collect

Data Type	Why It May Be Used
Domain and site identity	To connect the correct WordPress site to the correct Aegisify Audit target.
WordPress version and environment details	To assess compatibility, exposure, outdated software, and security posture.
Plugin and theme inventory	To support plugin security review, dependency visibility, and vulnerability analysis.
Static code signals	To support SAST-style review for risky patterns, suspicious files, and remediation planning.
Public exposure signals	To connect local context with DAST-style findings such as routes, headers, API exposure, and login/session surfaces.
WordPress activity events	To help identify admin actions, plugin changes, file changes, login activity, and suspicious operational patterns.
Optional debug log data	To help troubleshoot errors, warnings, failed plugin behavior, and security-relevant issues if the customer allows access.
Scan findings and report data	To generate dashboards, risk summaries, remediation recommendations, and sample-style audit reports.

What the Agent Is Not Designed to Collect

• Full WordPress database dumps for normal scanning.
• Full customer content libraries as a default audit requirement.
• Payment card data.
• WordPress user passwords.
• Private messages or communications as a normal product feature.
• Unrelated business documents outside the WordPress audit scope.

How Telemetry Access Works

The Agent must be installed and activated in WordPress by an authorized administrator. The WordPress site is connected to Aegisify Audit using the target domain setup and an encryption/security key from the SaaS dashboard. Telemetry access is controlled inside the Agent so customers can decide what types of security signals are enabled for analysis.

This matters because a WordPress Security Audit should not rely on hidden collection. The buyer should know when the Agent is installed, when it is connected, and which telemetry controls are enabled.

What Data Is Sent to SaaS

The SaaS platform may receive structured scan results, plugin and dependency signals, WordPress environment data, activity events, optional logs, security findings, risk summaries, report data, and AI-assisted analysis inputs needed to support the audit workflow.

The SaaS uses this data to organize findings, prioritize risk, generate dashboards, support reports, and help Artificial Intelligence summarize what matters. AI output should be treated as guidance that requires human review.

How Encryption and Security Keys Work

Aegisify Audit uses a security/encryption key during Agent setup to connect the correct WordPress Agent to the correct SaaS target. Customers copy the key from the SaaS Agent details area and paste it into the WordPress Agent settings. The connection is verified over SSL before scans are run.

Customers should treat the key like a secret. Do not publish it, email it broadly, commit it to source control, or place it in public screenshots.

Are Logs Optional?

Yes, logs should be treated as optional and controlled telemetry. WordPress activity sensors can help Aegisify Audit understand important changes and suspicious behavior. Debug log access can help identify plugin errors, PHP warnings, failed operations, and security-relevant technical signals.

Important: debug logs may contain sensitive data if your site, theme, plugin, or hosting environment writes sensitive data into logs. Review log settings carefully and avoid leaving debug logging enabled permanently on production sites unless there is a clear operational reason.

Is Customer Content Collected?

Aegisify should not be positioned as collecting full customer content as part of normal WordPress Security Audit scanning. The audit workflow is focused on technical security telemetry, configuration, plugin security, SAST, DAST-style signals, logs, and findings.

How Long Is Data Retained?

Aegisify should retain scan and account data only as long as needed to provide the service, support reporting, maintain security, meet legal obligations, or support customer-requested deletion. If a precise retention schedule is added later, publish it here clearly.

How to Disable or Remove the Agent

• Go to WordPress Admin.
• Open Plugins.
• Deactivate the Aegisify Audit Agent.
• Delete the plugin if you no longer want it installed.
• Remove or rotate the Agent security key in the SaaS target settings if needed.

How Scan Results Are Deleted

Customers should be able to delete scan results from the Aegisify Audit workflow where deletion controls are available. For account-level or historical deletion requests, contact Aegisify support or privacy contacts so the request can be reviewed against service, legal, accounting, and security retention requirements.

Bottom Line

Aegisify Agent data exists to make the WordPress Security Audit more useful. It helps connect plugin security, logs, SAST signals, DAST-style evidence, configuration posture, and AI-assisted prioritization into one clearer workflow. The most important trust principle is simple: customers should understand what is collected, why it is used, and how to remove access.